Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 319
  • Last Modified:

What is the best way to connect our Windows 2008 SBS with another Windows 2008 Enterprise Server at a Branch Office?

Good evening.

We have our main server which is a Windows 2008 SBS and is our Domain Controller. We'd like to connect our Branch Office which has a Windows 2008 Enterprise server as a read-only active directory setup.

Is this possible with out current server OS setup? We are using LogMeIn Hamachi as a VPN solution. Any advice will be greatly appreciated!

  • 2
  • 2
1 Solution
Rob WilliamsCommented:
Hamachi can be used but it is not the most stable VPN solution and uses dynamic IP addressing for the tunnel creation. I would recomend using two VPN routers which start at about $150 for a unit like a Netgear FVS318 or Linksys/Cisco RV042.

You mention the remote server is a read only DC? Is it a member of the SBS domain? If so you are already connected. If a member of another domain you cannot create a trust with the SBS. Perhaps if you could provide more details.
Poly11Author Commented:
Hi RobWill.

Thanks for the quick response. The remote server is a member of the SBS domain, at least it was before it was relocated to the branch office. I have opened the LDAP port on the firewall to allow the incoming and outgoing traffic, but I am still receiving NETLOGON errors in the event log of the remote server. The following is the error:

This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

I can't open the Active Director Users and Groups because it says the server is not operational. I have also opened the LDAP port n the firewall for the branch office. Are there other ports that should be opened?

I will try and convince the powers that be that a VPN hardware solution is recommended, however they love Hamachi because of it's ease of use and central management capability. We have the paid version of LogMeIn Central which gives us use of Hamachi. I haven't noticed any IP addresses change over the past year.

Could you please let me know if it's possible to get both domain controllers remotely connected with what we have? Thanks again.
Rob WilliamsCommented:
-A VPN should allow all traffic, so that shouldn't be an issue.
-The remote site must use a different subnet, does it?
-Because it is a different subnet some windows services may not work. The default configuration in the Windows firewall for some services is to only allow access from the local subnet. To test this I would disable the Windows firewalls. If that resolves the problem we can proceed from there.
-I suspect though the issue is the routing. The remote server must see the SBS as its ONLY DNS server. Can the remote server ping the SBS? If not you may need to add static routes. If so this is why you need a pair of VPN routers. The static route would point to the Hamachi IP as the gateway. Hamachi assigns dynamic IP's so this is always changing, though you say you haven't seen any changes.
-Once the remote server can access the SBS you need to add the remote site and subnet in Active Directory sites and services, but I think the routing is the primary concern.

Let me know if the firwwall makes a difference and if you can ping the SBS. If not I can supply routes to add.
Again the remote server can point only to the SBS, do not add local or ISP's DNS servers to the NIC configuration, they can be added as forwarders.
I have found Hamachi doesn't consistently work for network to network traffic.  The best way I have seen is firewall to firewall, (point to point) setups.  Then the two can act as the router and gateways to route traffic through the right subnets.  Most of them also won't allow you to use overlapping which will help you keep things as standard as possible.  For ease, I have seen two untangle firewalls work well (one is set as server, you then make a file to bring to the other one to make it a client, the app does all teh configuring for you).  I myself like the Sonicwalls and found they work really well also.

In regards to the routing, I also agree.  Often what you will see is something like unqualified lookups don't work.  for example, pinging server1, does not work, but server1.domain.local will, or by IP will.
Poly11Author Commented:
Since the recommended changes, Hamachi has been working like a charm. Thanks again, Rob Will!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now